On 12 March 2010 c. 03:23:00 Stuart Henderson wrote: > On 2010-03-11, Christopher Zimmermann <madro...@zakweb.de> wrote: > > Hi, > > > > my -current firewall is configured to block all in, block all out > > and allow only certain outbound connections. > > > > Now I want to allow outbound ftp connections. > > > > I read ftp-proxy(8) and > > http://openbsd.org/faq/pf/ftp.html#client. > > > > As I understand it, ftp-proxy could be used to create rules for > > inbound and outbound connections on 4.6. Now on -current the rdr > > keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) > > suggests using rdr-to, but this only works for inbound > > connections. > > > > Is it possible to allow ftp connections from a local client to > > public ftp serves on the internet? Possibly by using ftp-proxy? > > I suspect your understanding of "inbound" is from the viewpoint > of your network; PF doesn't care about that at all, it's only > concerned with whether a packet is inbound or outbound to a > particular interface. > > rdr only works for inbound connections too. > > A rule like the following works just fine for a ftp connection > from a local client to a public ftp server: > > pass in quick log on {lan, wifi, natted} inet proto tcp \ > to port 21 rdr-to 127.0.0.1
Well, if "block out all" is set on external interface then ftp-proxy outgoing connections will be blocked - ftp-proxy(8) does not create PF rules for connections itself. Something like pass out on $ext_if from ($ext_if) to port ftp will workaround this, but I think ftp-proxy(8) should be fixed instead... -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?